News:

cpg1.5.46 Security release - upgrade mandatory!The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.[more]

A XSS vulnerability has been found in EXIF data. As Coppermine is capable of displaying EXIF data, everybody who runs coppermine (any version) will have to apply this security fix as soon as possible:

users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.

users running any previous version should upgrade to cpg1.3.4, as there are several other things that have been fixed. If you can't do this now, make sure to fix the vulnerability: Edit displayimage.php with a text editor, find

users running the devel version cpg1.4.x: make sure to update all your files from the cvs as suggested in the sticky thread on the cpg1.4 testing/bugs board.

users running unsupported ports (especially those who run the deprecated nuke ports): we have no idea if the vulnerability exists in your code as well, but you should take a look at it and use the fix if applicable

I will package up a new stable release (cpg1.3.4) that will be available soon. It will contain the fix discussed in this thread.[edit GauGau]New package released: a brand new package cpg1.3.4 has been released that contains the above mentioned fix. - Download cpg1.3.4[/edit]

Joachim

[edit]Fixed the bug described below, uploaded new file and changed the instructions above accordingly. - Aditya[/edit]

Hey, I'm not trying to accuse anyone of anything, I'm just saying that it ain't working for me. Maybe the "fixes" are a bit different in truth, but the only thing that worked for me is the fix on this page...

Once again like I said, I never knew bout this problem before upgrading to the stable version I downloaded tonight. Or maybe it's my configuration or something, who knows. I'm just trying to help other people not go through the hours I spent trying to fix this. Cuz when I read that the downloaded version was fixed, I was pulling my hair out wondering why it doesn't work.

Maybe you should just stick the fix here in the stable version instead of the "other" fix. Just out of curiousity, what was the "other" fix?

I had to manually make the change on lines 334 and 336 and change the isset to isempty....That's the ONLY thing that worked for me.

The code which you changed is a part of a fix just to avoid the warning messages which were getting displayed after fixing the XSS vulnerability. The actual fix line 328 to 331 is present in the stable package.

Well I'm sorry to say that it's not working. Maybe you need to check it again, but it's not working for me. Maybe it's due to my particular images, who knows. One thing is that I didn't get this error on all my images. I don't know why. And of course I don't get it at all if I turn the IPTC on Jpegs off completely.

I had to manually make the change on lines 334 and 336 and change the isset to isempty....That's the ONLY thing that worked for me.

The code which you changed is a part of a fix just to avoid the warning messages which were getting displayed after fixing the XSS vulnerability. The actual fix line 328 to 331 is present in the stable package.

I've started thread /var/www/cpg134/displayimage.php on line 334 and if I understand this thread right, the problem should be fixed with newest downloads, but I used a download of yesterday. Maybe I had an old version in my cache. It would be good, if there is a md5sum at the website.

With this version I got the error:b1b10229422583bdad5ca4ff44281ac5 cpg1.3.4.zip

I would like to add, that some exif and IPTC-fields are empty, although the info is in the image. Every Comment contains at the beginning ASCII

A few minutes ago I downloaded cpg1.3.4.zip from 3 different locations and md5sum still is b1b10229422583bdad5ca4ff44281ac5, which produces errors here. Does this version work for others or do we have to be patient for a new version? It is not a problem for me if it takes days, if the problem is solved, I want to know only, if I have to wait.

I won't comment this, maybe the dev who took care of the fix wants to. In fact, the lines do the same, there is only a cosmetical issue.

Joachim

Quote

I think I may have been the dev that changed those two lines to !empty because in working with a specific image I uncovered the fact that isset will return true if its passed a null array. !empty will return false which is the reaction I felt was most appropriate.

Means that you haven't applied the fix as suggested. You should perform the actual upgrade instead of trying to fix only parts, especially if you don't understand what a parse error is. Don't clutter this thread with individual support requests.